How to uncorrelate account to old identity and correlate it to new identity

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi,

Good day. Just want to ask, how can we disconnect the account from the old identity and link it to the new identity?

We created a cloud rule (see below):

Map returnMap = new HashMap();

    String empId = account.getStringAttribute( "employeeNumber" );
    String dn = account.getStringAttribute( "distinguishedName" );
    String empStatus;
    sailpoint.object.Identity employee;
 
   List employees = idn.findIdentitiesBySearchableIdentityAttribute("employeeId", "Equals", empId, "employeeId");

  if(employees.iterator().hasNext())
  {
   employee = employees.iterator().next();
   empStatus = employee.getStringAttribute("empStatus");
  }

  if (dn != null && dn.toLowerCase().contains("ou=disabled"))
  {
          if (empStatus != null && empStatus.equals("FTE"))
	  {
            returnMap.put( "identityAttributeName", "oldEmpId");
            returnMap.put( "identityAttributeValue", empId );
	  }
  }
  else
   {
        returnMap.put( "identityAttributeName", "employeeId");
        returnMap.put( "identityAttributeValue", empId );
    }

    return returnMap;

Thank you very much.

2

Hi Michael Angelo Gambayan
Good Day!
Check the below sample code!

Identity identity = link.getIdentity();
String managerID = link.getAttribute( “direct_manager_employee_id” );

Thank You

1 Like
3

My question would be why does a user have multiple identity cubes?
I could understand that some might have them created by mistake and require manual intervention, but to have so many that you need to write a script seems strange.
Thanks

4

Hi @phil_awlings,

Our business requirement is to terminate first the employee from our Authoritative source and disable the correlated AD and SAP accounts. Then, the employee will provision using new Employee Number from authoritative source that is why there is another identity cube. However, we should use the User ID created in the Old Employee Number, thus we should correlate the two accounts to his new identity cube.

Thank you very much.

5

Hi @Mahesh_Mukku,

Thank you for the input. However, what we need to achieve is to correlate the old accounts to new identity.

Thank you very much.

6

Is it the same authoritative source for each identity cube? ie the user has two records in one source, or are you migrating from one to another?
If its the latter, then you might get away with correlation rules if you place the new source as a higher authorisation in the profiles tab

7

Hi Michael,

I believe the reason why you’re not able to correlate the old account to your new Identity is due to the old account (remain manualCorrelated=true). This will prevent recalculation of correlation.

You need to update the manualCorrelate flag to false and run unoptimized aggregation for recalculating the correlation

8

Hi @jolan

Good Day. Where can we change the manualCorrelated flag to false? Is it via UI or API?

Thank you very much.

9

Hi @phil_awlings

Good day. No, it is same authoritative source but different employee number.

For instance, User ‘Michael’ with EmployeeNum ‘1000’ and User ID ‘A0001’ (generated by SailPoint) will be terminated. Then, the same user ‘Michael’ with new EmployeeNum ‘1001’ will be provisioned but will use the User ID ‘A0001’ of the old EmployeeNum.

Thank you very much.

10

Hi @mgambayan ,

  {
    "op": "remove",
    "path": "/identityId"
  }
]

You can use this body , follow here for more details: How to uncorrelate an auth source account (so a new identity is created) - #2 by fmunerato

11

Here’s how-to. I was meant on updating the source account “manuallCorrelated” flag to false, so it will get uncorrelated away from the old identity.

Can refer to this for some explanation.

{
    "Reassign account": {
        "value": [
            {
                "op": "replace",
                "path": "/manuallyCorrelated",
                "value": "false"
            }
        ]
    }
}
12

Hi @mgambayan
Greeting of the Day!

can you try below logic

Map returnMap = new HashMap();

String dn = account.getStringAttribute( “distinguishedName” );
String empId = account.getStringAttribute( “employeeNumber” );
String empStatus=“”;
sailpoint.object.Identity employee;

List employees = idn.findIdentitiesBySearchableIdentityAttribute(“employeeId”, “Equals”, empId, “employeeId”);

if(employees.iterator().hasNext())
{
employee = employees.iterator().next();
empStatus = employee.getStringAttribute(“empStatus”);
if (dn != null && dn.toLowerCase().contains(“ou=disabled”))
{
if (empStatus != null && empStatus.equals(“FTE”))
{
returnMap.put( “identityAttributeName”, “oldEmpId”);
returnMap.put( “identityAttributeValue”, empId );
}
return returnMap;
}
else
{
returnMap.put( “identityAttributeName”, “employeeId”);
returnMap.put( “identityAttributeValue”, empId );
}
return returnMap;
}
return returnMap;

13

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.